Flux159/mcp-server-kubernetes

Sensitive access patterns — review carefully.

View source ↗

Outbound network 3

Environment variables (config / keys) 33

Remote code execution 1

Shell / command execution 7

AI review

This MCP server provides full Kubernetes cluster management capabilities, including destructive operations like pod exec, apply, delete, and Helm chart management. It reads sensitive credentials (kubeconfig, tokens, CA data) from environment variables and passes them to subprocesses, creating a significant risk of credential exfiltration if an attacker can inject prompts. The CI pipeline downloads and executes a remote script (get-helm-3) without verification, which could be a supply chain attack vector.

high Remote code execution in CI pipeline — In .github/workflows/ci.yml:31, the workflow runs `curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash` which downloads and executes a shell script from a remote URL without integrity verification. This could be exploited if the Helm repository is compromised or if a man-in-the-middle attack occurs.
high Credential exposure via environment variables to subprocesses — Multiple tool files (kubectl-apply.ts, kubectl-delete.ts, helm-operations.ts, etc.) pass the entire process environment including KUBECONFIG, KUBECONFIG_YAML, K8S_TOKEN, and other sensitive variables to child processes via `env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG }`. This means any command executed through these tools can access all Kubernetes credentials.
high Destructive operations available without restriction — The server exposes tools for pod exec, resource deletion, Helm chart installation, and other destructive operations. While there is an ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS environment variable, it is opt-in and not enforced by default. An attacker who can inject prompts could delete or modify cluster resources.
medium Unsafe kubectl flags allowed by default — The server checks `ALLOW_KUBECTL_UNSAFE_FLAGS` environment variable (src/security/kubectl-flags.ts:79) but does not restrict dangerous flags like `--insecure-skip-tls-verify` or `--token` by default. If enabled, this could allow bypassing security controls.
medium No input sanitization for kubectl commands — The server constructs kubectl commands from user-provided arguments (e.g., in kubectl-generic.ts, kubectl-apply.ts) and executes them via child_process. Without proper sanitization, an attacker could inject additional flags or commands through crafted arguments.

Model: deepseek-chat

Static findings

Remote code execution · Downloads and executes remote code

info .github/workflows/ci.yml:31 curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Shell / command execution · Executes shell / system commands

medium ADVANCED_README.md:5

If you have large clusters or see a `spawnSync ENOBFUS` error, you may need to specify the environment argument `SPAWN_MAX_BUFFER` (in bytes) when running the server. See [this issue](https://github.c

medium src/security/kubectl-flags.ts:5 } from "child_process";

info src/tools/helm-operations.ts:152 * Execute a command using child_process.execFileSync with proper error handling.

info src/tools/node-management.ts:106 * Execute a command using child_process.execFileSync with proper error handling.

medium src/tools/port_forward.ts:1 import { spawn } from "child_process";

info tests/helm.test.ts:8 import { execSync } from "child_process";

info tests/kubectl-context.unit.test.ts:4 import { execFileSync } from "child_process";

Environment variables (config / keys) · Reads environment variables (config / API keys)

low src/config/max-buffer.ts:2 return parseInt(process.env.SPAWN_MAX_BUFFER || "1048577", 10);

low src/config/telemetry-config.ts:31 const samplerType = process.env.OTEL_TRACES_SAMPLER;

low src/index.ts:84 const allowOnlyReadonlyTools = process.env.ALLOW_ONLY_READONLY_TOOLS === "true";

low src/security/kubectl-flags.ts:79 return process.env.ALLOW_KUBECTL_UNSAFE_FLAGS === "true";

low src/tools/exec_in_pod.ts:123 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/helm-operations.ts:164 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-apply.ts:104 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-context.ts:80 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-create.ts:431 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-delete.ts:162 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-describe.ts:78 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

low src/tools/kubectl-generic.ts:137 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },

+ 21 more

Outbound network · Makes outbound network requests

info tests/dns-rebinding.test.ts:9 /** Send a POST /mcp request with a custom Host header via http.request (fetch doesn't allow Host override). */

info tests/sse.test.ts:153 const response = await fetch(readyUrl, {

info tests/streaming_http.test.ts:57 const response = await fetch(readyUrl, {

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.